[go: up one dir, main page]
Scribd
Upload
191 views16 pages

CF Lecture 08 - Anti Forensics Techniques Part 1

The document discusses various anti-forensic techniques used by attackers to hide digital evidence and hinder forensic investigations. It describes how attackers can delete browser history, use data deletion and password protection methods, as well as techniques like steganography, encryption, and spoofing. The document also provides examples of how file headers and slack space can be manipulated. It outlines how deleted files can be recovered using tools and explains different password cracking attacks and common password types.

Uploaded by

Faisal Shahzad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
191 views16 pages

CF Lecture 08 - Anti Forensics Techniques Part 1

The document discusses various anti-forensic techniques used by attackers to hide digital evidence and hinder forensic investigations. It describes how attackers can delete browser history, use data deletion and password protection methods, as well as techniques like steganography, encryption, and spoofing. The document also provides examples of how file headers and slack space can be manipulated. It outlines how deleted files can be recovered using tools and explains different password cracking attacks and common password types.

Uploaded by

Faisal Shahzad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Dr.

Zunera Jalil
Email: zunera.jalil@mail.au.edu.pk
Anti Forensics 2

A set of techniques that attackers or perpetrators used in


order to avert or sidetrack the forensic investigation process
or try to make it much harder.

• Attackers try to reduce the quality as well as quantity of


digital evidence.
• Attackers try to cover their tracks by deleting browser
history, cache memory, and even cookies.
• Use programmed software and tools to alter their digital
footprints.
Anti Forensics 3

• Makes a computer investigator’s life difficult.


• Cybercriminals can perform a wide range of nefarious
activities (committing fraud, stealing crucial data, etc.)
• Anti forensic tools are designed to hide, remove,
and eventually hinder cyber forensic analysis.
• Exhausting to retrieve evidence during
a computer investigation.
Some Examples 4

• Attacker can alter the header of a file to deceive people.


 Changing the header from .jpg to .mp3 will give the impression of
an audio file, but the system will still treat as an image file.
 An investigator focused on a particular file format can skip over
important evidence.
• Attacker can use slack space, i.e., unused space of a file,
to hide sensitive sections of a file.
• Dividing a file into smaller sections and hiding the
information in the slack space, makes the data retrieval
and data assembly challenging.
Anti-Forensic Techniques 5

• Data Deletion
• Password Protection
• Steganography
• Encryption
• Tunnelling
• Onion Routing
• Obfuscation
• Spoofing
Data Deletion 6

• To hide their criminal and illegal activities, attackers sometimes


delete important data and files.
• Recovering deleted data and files can help investigator in their
cases
• Data Recovery tools are used to recover deleted data.
• In FAT file system, when a file is deleted:
• OS replaces the first letter of a deleted filename with hex byte code
“E5h”
• The cluster of this file is marked as unused even if it still contains the
information until it is overwritten
Data Deletion 7

• In NTFS file system, when a file is deleted:


• OS marks the file as deleted in master file table (MFT)
• Cluster allocated to file is marked as free in $Bitmap
• Empty clusters are available for new files
• $BitMap file keeps track of all of the used and unused
clusters on an NTFS volume.
• When a file takes up space on the NTFS volume the location
it uses is marked out in the $BitMap.

https://whereismydata.wordpress.com/2009/06/01/forensics-what-is-the-bitmap/
Where is Recycle Bin located? 8

• A temporary storage space for deleted files in Windows OS. Files can
be restored.
• Question: File deleted from a USB goes to recycle bin. YES or NO?
• Where is Recycle Bin located?
• C:\RECYCLED –(FAT-Windows 98 and prior)
• C:\RECYCLER – (NTFS-Windows 2K, NT and XP)
• C:\$Recycle.Bin (NTFS- Current)
• All deleted files in FAT goes to C:\RECYCLED directory
• All deleted files in NTFS categorized into directors in C:\RECYCLER\$..
• No size limit on recycle bin
Where Deleted Data goes? 9

• Name and path of deleted file is stored in hidden file called INFO or
INFO 2 which helps in restoration of files later.
• Deleted file is renamed as:
• $R <#>.<original extension>
• Where <#> is set of random letters and numbers
 Metadata file is created and named as:
• $I<#>.<original extension>
• Where <#> is set of random letters and numbers (same as for $R file)
 $I file contains original file name, size, data and time of deletion.
Recovering Files in Windows 10

• Sometimes recovering files that are deleted from Recycle bin is


required.
• A file can be lost due to reinstallation or may get removed by a virus
or a system failure.
• Recovery tools are used to recover lost data from storage media.
• This data may be residing in slack space.
• Disk Drill
• Recuva
• R-Studio
• EaseUS Data Recovery
• Stellar Recovery
Recovering Deleted Partition 11

• An attacker can delete a partition on a logical drive and all data on the
drive is lost apparently.
• An attacker can delete a partition on a dynamic disk as well.
• Just the parameters about how the partition is organized are deleted, not the
whole data itself.
• Data can be recovered.
• Active@Partition Recovery tool used to recover deleted and damaged logical
drives and partitions.
Password Protection 12

• Sometimes data sources are password protected and investigators


need to break passwords.
• The time to crack a password is related to bit strength (see password
strength), which is a measure of the password's entropy, and the details
of how the password is stored.
• Most methods of password cracking require the computer to produce
many candidate passwords, each of which is checked.
• Strong passwords are hard to break and may take too long time.
• Weak passwords can be broken in a few seconds.
Types of Passwords 13

• Three types of passwords:


 Cleartext: Stored and transmitted as it is typed
 Obfuscated: Stored and transmitted after transformation (reversible)
 Hashed: using hash algorithms(MD5/SHA) but not reversible.
Password Breaking 14

• Password Crackers are used to recover passwords of a system, network


resources, a file or an application.
• Breaking Methods are:
1. Dictionary Attack:
 Intruder attempts to crack a password-protected security system with a “dictionary list” of
common words and phrases used by businesses and individuals.

2. Brute Force Attack:


 A program tries every combination of ASCII characters untile the password is broken

3. Rule Based Attack


 A password cracking technique when an attacker knows which rules passwords in a
particular system are based on, such as “alphanumeric and eight characters long.
Password Protection 15

• Sometimes users do not change the password supplied by


manufacturer of devices.
• Default password can be used to break.
• You can search for default passwords in databases:

• https://default-password.info/
• https://passwordsdatabase.com/
ANY QUESTIONS

You might also like